Let's say somebody gets access to the host protected area of a zeros-filled HDD …and then what ? I'd be interested to know if that could be used for further data recovery ?! And if yes, how?!
I don't understand the question.
jaclaz
Surviving the wipe process, could the data stored in the HPA be used to recover data from the previously zeroed disk ?!
Surviving the wipe process, could the data stored in the HPA be used to recover data from the previously zeroed disk ?!
Why not (in theory).
Let's say you have a 1 Tb disk.
You make two 512 Gb partitions on it.
You write all your data to first partition.
Then you mirror the first partition on the second partition.
Then you create a (huge) HPA with the extents of the second partition.
Your dd if=nul of=/dev/sdx will nicely zero out the first partition without touching the second one.
jaclaz
Surviving the wipe process, could the data stored in the HPA be used to recover data from the previously zeroed disk ?!
Why not (in theory).
Let's say you have a 1 Tb disk.
You make two 512 Gb partitions on it.
You write all your data to first partition.
Then you mirror the first partition on the second partition.
Then you create a (huge) HPA with the extents of the second partition.
Your dd if=nul of=/dev/sdx will nicely zero out the first partition without touching the second one.jaclaz
Or better say the answer is no! You talk about partitions and partition HPA extents, while I was talking about a zeroed disk, not logical partitions )
dd if=/dev/zero of=/dev/sdx will fill with zeros the whole HDD, no matter how many partitions you got.
dd if=/dev/zero of=/dev/sdxn will fill with zeros only the specified partition, this we can maybe name partition wiping, but not disk wiping for sure.
Or better say the answer is no! You talk about partitions and partition HPA extents, while I was talking about a zeroed disk, not logical partitions )
dd if=/dev/zero of=/dev/sdx will fill with zeros the whole HDD, no matter how many partitions you got.
dd if=/dev/zero of=/dev/sdxn will fill with zeros only the specified partition, this we can maybe name partition wiping, but not disk wiping for sure.
The answer is still YES.
There is a form of misunderstanding.
A 1 Tb disk with a HPA of 512 Gb will result 512 Gb in size.
If you prefer, the /dev/sdx will be 512 Gb in size, and thus you will write 00's only to the first 512 Gb of the device.
Simplified
Before
1st partition=Extents from 0 to 512 Gb
2nd partition=Extents from 512 to 1024 Gb
Total size of the device 1 Tb.
After
1st partition=Extents from 0 to 512 Gb
HPA=Extents from 512 to 1024 Gb
Total size of the device 512 Gb.
A disk with a Host Protected Area will show to the Host as having smaller capacity than it really has, or if you prefer using a HPA is a way to reduce the capacity of a hard disk as seen from the OS.
jaclaz
But it also has to be said that detecting and removing the HPA is quick and easy. So it isn't particularly good protection.
But it also has to be said that detecting and removing the HPA is quick and easy. So it isn't particularly good protection.
Yes, and there is also "libata.ignore_hpa=1" Linux kernel boot option which helps overcome HPA limit even if one has no much technical knowledge.
But it also has to be said that detecting and removing the HPA is quick and easy. So it isn't particularly good protection.
Yes, and there is also "libata.ignore_hpa=1" Linux kernel boot option which helps overcome HPA limit even if one has no much technical knowledge.
Sure it is not a "good" protection, but out of the good people that use software for the 3 or 7 passes DOD wiping, it seems that none has yet mentioned the "verify if a HPA is present" on the checklist … wink
I would also be not too sure that *all* forensic software have (like - to remain between us - OsForensics has)
http//
an in-built provision for HPA and DCO.
Time to talk about disabled heads, P-lists and G-lists? ? 😯
Before I forget
http//
jaclaz